Analysis
-
max time kernel
142s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 19:02
Behavioral task
behavioral1
Sample
RoninTweaksCLI.exe
Resource
win7-20241010-en
General
-
Target
RoninTweaksCLI.exe
-
Size
20.1MB
-
MD5
230f9e03576ff4e7a7e66e2114fe6b8e
-
SHA1
89971565edd8fef92cfb8f0c143905136b64be32
-
SHA256
1f4c708d803e7607540b967db81e8ffb6c3390b06935793c0f11f41e1bcfea40
-
SHA512
fccc96b48b46c6392da69bf8a7175bc40a16ec6e96a798edab49b4fd28c35f4810cde34e1636e7bfd18ddc86d6c670bd751a4a147c3b3e572825f2fa8f90d8b8
-
SSDEEP
393216:iTN7dtptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yT:cJtDGL7p8dai06KRq6RSH6yT
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RoninTweaksCLI.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RoninTweaksCLI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RoninTweaksCLI.exe -
Loads dropped DLL 1 IoCs
pid Process 3916 RoninTweaksCLI.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/3916-0-0x0000000000400000-0x000000000081A000-memory.dmp agile_net behavioral2/memory/3916-2-0x0000000000400000-0x0000000000768000-memory.dmp agile_net behavioral2/memory/3916-53-0x0000000000400000-0x000000000081A000-memory.dmp agile_net -
resource yara_rule behavioral2/memory/3916-10-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-22-0x000000001E4F0000-0x000000001F281000-memory.dmp themida behavioral2/memory/3916-25-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-23-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-24-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-26-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-28-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-27-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-31-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-63-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-78-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-84-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-86-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral2/memory/3916-104-0x0000000180000000-0x0000000181D0F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RoninTweaksCLI.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3916 RoninTweaksCLI.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3916 RoninTweaksCLI.exe 3916 RoninTweaksCLI.exe 3916 RoninTweaksCLI.exe 3916 RoninTweaksCLI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3916 RoninTweaksCLI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI.exe"C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59adc328239101235f8232b6ebb6a1d4d
SHA13ba838ea75ad852caf6d76b4354d70cd4bd27efc
SHA256e0d0cac9520b77ea931ca2b656893adc41c96acf7d52276fa9267e96813f3426
SHA51209a6cc36992bfd03abcba2430676ce511489754df854a4c1ef3ff734cdd4ecbf9cda19e844b9ff1eb21ae9d65395eaa549e36ff7fe8810c67a21b439b4b207ca
-
Filesize
1KB
MD54fc356bb5e3a4c1783a55d3fa28d118f
SHA1eb48c330e792182b0753257c7f92979a70f3a13d
SHA25610abee9a7be4e5fa7ca14a411d76dc62a8fde49ccc6e47129be0d466c7225881
SHA51203b7a36bc7a7bb5938cdc196f01fb5eb21034d58e100c4573cf5386a858760ec587eb01427f3242333c581f99a7aa2cdf795e1f1db3fefa5827c54117141979f